Yellow Dog Linux Security Advisory: YDU-20020801-2

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Thu, 1 Aug 2002 15:55:59 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	glibc
Issue Date: 	August 1, 2002	
Priority:	medium	
Advisory ID: 	YDU-20020801-2


1. 	Topic:

	Updated glibc packages are available.


2. 	Problem:

	"The glibc package contains standard libraries which are used by
	multiple programs on the system.

	A buffer overflow vulnerability has been found in the way the glibc
	resolver handles the resolution of network names and addresses via DNS
	(as per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions
	are affected. A system would be vulnerable to this issue if the
	"networks" database in /etc/nsswitch.conf includes the "dns" entry. By
	default, [Yellow Dog] Linux ships with "networks" set to "files" and
	is therefore not vulnerable to this issue. (CAN-2002-0684)"
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install glibc

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			  	ppc/glibc-2.2.5-1.2.3a.ppc.rpm
			  	ppc/glibc-common-2.2.5-1.2.3a.ppc.rpm
			  	ppc/glibc-devel-2.2.5-1.2.3a.ppc.rpm
			  	ppc/glibc--profile-2.2.5-1.2.3a.ppc.rpm
			  	ppc/nscd-2.2.5-1.2.3a.ppc.rpm

		Yellow Dog Linux 2.2
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
			  	ppc/glibc-2.2.5-1.2.2a.ppc.rpm
			  	ppc/glibc-common-2.2.5-1.2.2a.ppc.rpm
			  	ppc/glibc-devel-2.2.5-1.2.2a.ppc.rpm
			  	ppc/glibc--profile-2.2.5-1.2.2a.ppc.rpm
			  	ppc/nscd-2.2.5-1.2.2a.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
e75df29971655f990a6a5b9a98924f37  ppc/glibc-2.2.5-1.2.3a.ppc.rpm
a9bc63468bd7c91fae2321c99c2c5a4a  ppc/glibc-common-2.2.5-1.2.3a.ppc.rpm
fdfe07b747a5745ea17a68ac3a02703f  ppc/glibc-devel-2.2.5-1.2.3a.ppc.rpm
d4231fe4c2f3e35ddfc0be090d6fd042  ppc/glibc-profile-2.2.5-1.2.3a.ppc.rpm
3e8ef6492b919a7312aa2159e72e4893  ppc/nscd-2.2.5-1.2.3a.ppc.rpm
86079e5b9e2c110e73f5f08c0c8079f5  SRPMS/glibc-2.2.5-1.2.3a.src.rpm

[Yellow Dog Linux 2.2]
5a9e8dfcfa6a076d7eababf41ace3c38  ppc/glibc-2.2.5-1.2.2a.ppc.rpm
e4da9a723e183a2c4622bafbbe1ce8ad  ppc/glibc-common-2.2.5-1.2.2a.ppc.rpm
e4de3964877bb9a10a70007d1052bacc  ppc/glibc-devel-2.2.5-1.2.2a.ppc.rpm
03e9e72db5d632a07aabcc48240bc918  ppc/glibc-profile-2.2.5-1.2.2a.ppc.rpm
1696491d9b6470f088b54e0b30bbb020  ppc/nscd-2.2.5-1.2.2a.ppc.rpm
188ba4de2de082a64669b798cd83addd  SRPMS/glibc-2.2.5-1.2.2a.src.rpm


I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml